1. Packages
  2. Azure Classic
  3. API Docs
  4. keyvault
  5. KeyVault

We recommend using Azure Native.

Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi

azure.keyvault.KeyVault

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi

    Manages a Key Vault.

    Disclaimers

    Note: It’s possible to define Key Vault Access Policies both within the azure.keyvault.KeyVault resource via the access_policy block and by using the azure.keyvault.AccessPolicy resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.

    Note: It’s possible to define Key Vault Certificate Contacts both within the azure.keyvault.KeyVault resource via the contact block and by using the azure.keyvault.CertificateContacts resource. However it’s not possible to use both methods to manage Certificate Contacts within a KeyVault, since there’ll be conflicts.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const current = azure.core.getClientConfig({});
    const example = new azure.core.ResourceGroup("example", {
        name: "example-resources",
        location: "West Europe",
    });
    const exampleKeyVault = new azure.keyvault.KeyVault("example", {
        name: "examplekeyvault",
        location: example.location,
        resourceGroupName: example.name,
        enabledForDiskEncryption: true,
        tenantId: current.then(current => current.tenantId),
        softDeleteRetentionDays: 7,
        purgeProtectionEnabled: false,
        skuName: "standard",
        accessPolicies: [{
            tenantId: current.then(current => current.tenantId),
            objectId: current.then(current => current.objectId),
            keyPermissions: ["Get"],
            secretPermissions: ["Get"],
            storagePermissions: ["Get"],
        }],
    });
    
    import pulumi
    import pulumi_azure as azure
    
    current = azure.core.get_client_config()
    example = azure.core.ResourceGroup("example",
        name="example-resources",
        location="West Europe")
    example_key_vault = azure.keyvault.KeyVault("example",
        name="examplekeyvault",
        location=example.location,
        resource_group_name=example.name,
        enabled_for_disk_encryption=True,
        tenant_id=current.tenant_id,
        soft_delete_retention_days=7,
        purge_protection_enabled=False,
        sku_name="standard",
        access_policies=[azure.keyvault.KeyVaultAccessPolicyArgs(
            tenant_id=current.tenant_id,
            object_id=current.object_id,
            key_permissions=["Get"],
            secret_permissions=["Get"],
            storage_permissions=["Get"],
        )])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := core.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-resources"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
    			Name:                     pulumi.String("examplekeyvault"),
    			Location:                 example.Location,
    			ResourceGroupName:        example.Name,
    			EnabledForDiskEncryption: pulumi.Bool(true),
    			TenantId:                 pulumi.String(current.TenantId),
    			SoftDeleteRetentionDays:  pulumi.Int(7),
    			PurgeProtectionEnabled:   pulumi.Bool(false),
    			SkuName:                  pulumi.String("standard"),
    			AccessPolicies: keyvault.KeyVaultAccessPolicyArray{
    				&keyvault.KeyVaultAccessPolicyArgs{
    					TenantId: pulumi.String(current.TenantId),
    					ObjectId: pulumi.String(current.ObjectId),
    					KeyPermissions: pulumi.StringArray{
    						pulumi.String("Get"),
    					},
    					SecretPermissions: pulumi.StringArray{
    						pulumi.String("Get"),
    					},
    					StoragePermissions: pulumi.StringArray{
    						pulumi.String("Get"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Azure.Core.GetClientConfig.Invoke();
    
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-resources",
            Location = "West Europe",
        });
    
        var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
        {
            Name = "examplekeyvault",
            Location = example.Location,
            ResourceGroupName = example.Name,
            EnabledForDiskEncryption = true,
            TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
            SoftDeleteRetentionDays = 7,
            PurgeProtectionEnabled = false,
            SkuName = "standard",
            AccessPolicies = new[]
            {
                new Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
                {
                    TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
                    ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                    KeyPermissions = new[]
                    {
                        "Get",
                    },
                    SecretPermissions = new[]
                    {
                        "Get",
                    },
                    StoragePermissions = new[]
                    {
                        "Get",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.keyvault.KeyVault;
    import com.pulumi.azure.keyvault.KeyVaultArgs;
    import com.pulumi.azure.keyvault.inputs.KeyVaultAccessPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = CoreFunctions.getClientConfig();
    
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example-resources")
                .location("West Europe")
                .build());
    
            var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()        
                .name("examplekeyvault")
                .location(example.location())
                .resourceGroupName(example.name())
                .enabledForDiskEncryption(true)
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .softDeleteRetentionDays(7)
                .purgeProtectionEnabled(false)
                .skuName("standard")
                .accessPolicies(KeyVaultAccessPolicyArgs.builder()
                    .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                    .objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                    .keyPermissions("Get")
                    .secretPermissions("Get")
                    .storagePermissions("Get")
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-resources
          location: West Europe
      exampleKeyVault:
        type: azure:keyvault:KeyVault
        name: example
        properties:
          name: examplekeyvault
          location: ${example.location}
          resourceGroupName: ${example.name}
          enabledForDiskEncryption: true
          tenantId: ${current.tenantId}
          softDeleteRetentionDays: 7
          purgeProtectionEnabled: false
          skuName: standard
          accessPolicies:
            - tenantId: ${current.tenantId}
              objectId: ${current.objectId}
              keyPermissions:
                - Get
              secretPermissions:
                - Get
              storagePermissions:
                - Get
    variables:
      current:
        fn::invoke:
          Function: azure:core:getClientConfig
          Arguments: {}
    

    Create KeyVault Resource

    new KeyVault(name: string, args: KeyVaultArgs, opts?: CustomResourceOptions);
    @overload
    def KeyVault(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 access_policies: Optional[Sequence[KeyVaultAccessPolicyArgs]] = None,
                 contacts: Optional[Sequence[KeyVaultContactArgs]] = None,
                 enable_rbac_authorization: Optional[bool] = None,
                 enabled_for_deployment: Optional[bool] = None,
                 enabled_for_disk_encryption: Optional[bool] = None,
                 enabled_for_template_deployment: Optional[bool] = None,
                 location: Optional[str] = None,
                 name: Optional[str] = None,
                 network_acls: Optional[KeyVaultNetworkAclsArgs] = None,
                 public_network_access_enabled: Optional[bool] = None,
                 purge_protection_enabled: Optional[bool] = None,
                 resource_group_name: Optional[str] = None,
                 sku_name: Optional[str] = None,
                 soft_delete_retention_days: Optional[int] = None,
                 tags: Optional[Mapping[str, str]] = None,
                 tenant_id: Optional[str] = None)
    @overload
    def KeyVault(resource_name: str,
                 args: KeyVaultArgs,
                 opts: Optional[ResourceOptions] = None)
    func NewKeyVault(ctx *Context, name string, args KeyVaultArgs, opts ...ResourceOption) (*KeyVault, error)
    public KeyVault(string name, KeyVaultArgs args, CustomResourceOptions? opts = null)
    public KeyVault(String name, KeyVaultArgs args)
    public KeyVault(String name, KeyVaultArgs args, CustomResourceOptions options)
    
    type: azure:keyvault:KeyVault
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args KeyVaultArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KeyVaultArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KeyVaultArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KeyVaultArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KeyVaultArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    KeyVault Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The KeyVault resource accepts the following input properties:

    ResourceGroupName string
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    SkuName string
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    AccessPolicies List<KeyVaultAccessPolicy>

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    Contacts List<KeyVaultContact>

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    EnableRbacAuthorization bool
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    EnabledForDeployment bool
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    EnabledForDiskEncryption bool
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    EnabledForTemplateDeployment bool
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    Location string
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    Name string
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    NetworkAcls KeyVaultNetworkAcls
    A network_acls block as defined below.
    PublicNetworkAccessEnabled bool
    Whether public network access is allowed for this Key Vault. Defaults to true.
    PurgeProtectionEnabled bool

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    SoftDeleteRetentionDays int

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    Tags Dictionary<string, string>
    A mapping of tags to assign to the resource.
    ResourceGroupName string
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    SkuName string
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    AccessPolicies []KeyVaultAccessPolicyArgs

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    Contacts []KeyVaultContactArgs

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    EnableRbacAuthorization bool
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    EnabledForDeployment bool
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    EnabledForDiskEncryption bool
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    EnabledForTemplateDeployment bool
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    Location string
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    Name string
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    NetworkAcls KeyVaultNetworkAclsArgs
    A network_acls block as defined below.
    PublicNetworkAccessEnabled bool
    Whether public network access is allowed for this Key Vault. Defaults to true.
    PurgeProtectionEnabled bool

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    SoftDeleteRetentionDays int

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    Tags map[string]string
    A mapping of tags to assign to the resource.
    resourceGroupName String
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    skuName String
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    accessPolicies List<KeyVaultAccessPolicy>

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    contacts List<KeyVaultContact>

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    enableRbacAuthorization Boolean
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    enabledForDeployment Boolean
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    enabledForDiskEncryption Boolean
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    enabledForTemplateDeployment Boolean
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    location String
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    name String
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    networkAcls KeyVaultNetworkAcls
    A network_acls block as defined below.
    publicNetworkAccessEnabled Boolean
    Whether public network access is allowed for this Key Vault. Defaults to true.
    purgeProtectionEnabled Boolean

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    softDeleteRetentionDays Integer

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    tags Map<String,String>
    A mapping of tags to assign to the resource.
    resourceGroupName string
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    skuName string
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    tenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    accessPolicies KeyVaultAccessPolicy[]

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    contacts KeyVaultContact[]

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    enableRbacAuthorization boolean
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    enabledForDeployment boolean
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    enabledForDiskEncryption boolean
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    enabledForTemplateDeployment boolean
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    location string
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    name string
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    networkAcls KeyVaultNetworkAcls
    A network_acls block as defined below.
    publicNetworkAccessEnabled boolean
    Whether public network access is allowed for this Key Vault. Defaults to true.
    purgeProtectionEnabled boolean

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    softDeleteRetentionDays number

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    tags {[key: string]: string}
    A mapping of tags to assign to the resource.
    resource_group_name str
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    sku_name str
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    tenant_id str
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    access_policies Sequence[KeyVaultAccessPolicyArgs]

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    contacts Sequence[KeyVaultContactArgs]

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    enable_rbac_authorization bool
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    enabled_for_deployment bool
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    enabled_for_disk_encryption bool
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    enabled_for_template_deployment bool
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    location str
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    name str
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    network_acls KeyVaultNetworkAclsArgs
    A network_acls block as defined below.
    public_network_access_enabled bool
    Whether public network access is allowed for this Key Vault. Defaults to true.
    purge_protection_enabled bool

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    soft_delete_retention_days int

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    tags Mapping[str, str]
    A mapping of tags to assign to the resource.
    resourceGroupName String
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    skuName String
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    accessPolicies List<Property Map>

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    contacts List<Property Map>

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    enableRbacAuthorization Boolean
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    enabledForDeployment Boolean
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    enabledForDiskEncryption Boolean
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    enabledForTemplateDeployment Boolean
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    location String
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    name String
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    networkAcls Property Map
    A network_acls block as defined below.
    publicNetworkAccessEnabled Boolean
    Whether public network access is allowed for this Key Vault. Defaults to true.
    purgeProtectionEnabled Boolean

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    softDeleteRetentionDays Number

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    tags Map<String>
    A mapping of tags to assign to the resource.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the KeyVault resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    VaultUri string
    The URI of the Key Vault, used for performing operations on keys and secrets.
    Id string
    The provider-assigned unique ID for this managed resource.
    VaultUri string
    The URI of the Key Vault, used for performing operations on keys and secrets.
    id String
    The provider-assigned unique ID for this managed resource.
    vaultUri String
    The URI of the Key Vault, used for performing operations on keys and secrets.
    id string
    The provider-assigned unique ID for this managed resource.
    vaultUri string
    The URI of the Key Vault, used for performing operations on keys and secrets.
    id str
    The provider-assigned unique ID for this managed resource.
    vault_uri str
    The URI of the Key Vault, used for performing operations on keys and secrets.
    id String
    The provider-assigned unique ID for this managed resource.
    vaultUri String
    The URI of the Key Vault, used for performing operations on keys and secrets.

    Look up Existing KeyVault Resource

    Get an existing KeyVault resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KeyVaultState, opts?: CustomResourceOptions): KeyVault
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            access_policies: Optional[Sequence[KeyVaultAccessPolicyArgs]] = None,
            contacts: Optional[Sequence[KeyVaultContactArgs]] = None,
            enable_rbac_authorization: Optional[bool] = None,
            enabled_for_deployment: Optional[bool] = None,
            enabled_for_disk_encryption: Optional[bool] = None,
            enabled_for_template_deployment: Optional[bool] = None,
            location: Optional[str] = None,
            name: Optional[str] = None,
            network_acls: Optional[KeyVaultNetworkAclsArgs] = None,
            public_network_access_enabled: Optional[bool] = None,
            purge_protection_enabled: Optional[bool] = None,
            resource_group_name: Optional[str] = None,
            sku_name: Optional[str] = None,
            soft_delete_retention_days: Optional[int] = None,
            tags: Optional[Mapping[str, str]] = None,
            tenant_id: Optional[str] = None,
            vault_uri: Optional[str] = None) -> KeyVault
    func GetKeyVault(ctx *Context, name string, id IDInput, state *KeyVaultState, opts ...ResourceOption) (*KeyVault, error)
    public static KeyVault Get(string name, Input<string> id, KeyVaultState? state, CustomResourceOptions? opts = null)
    public static KeyVault get(String name, Output<String> id, KeyVaultState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessPolicies List<KeyVaultAccessPolicy>

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    Contacts List<KeyVaultContact>

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    EnableRbacAuthorization bool
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    EnabledForDeployment bool
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    EnabledForDiskEncryption bool
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    EnabledForTemplateDeployment bool
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    Location string
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    Name string
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    NetworkAcls KeyVaultNetworkAcls
    A network_acls block as defined below.
    PublicNetworkAccessEnabled bool
    Whether public network access is allowed for this Key Vault. Defaults to true.
    PurgeProtectionEnabled bool

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    ResourceGroupName string
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    SkuName string
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    SoftDeleteRetentionDays int

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    Tags Dictionary<string, string>
    A mapping of tags to assign to the resource.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    VaultUri string
    The URI of the Key Vault, used for performing operations on keys and secrets.
    AccessPolicies []KeyVaultAccessPolicyArgs

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    Contacts []KeyVaultContactArgs

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    EnableRbacAuthorization bool
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    EnabledForDeployment bool
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    EnabledForDiskEncryption bool
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    EnabledForTemplateDeployment bool
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    Location string
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    Name string
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    NetworkAcls KeyVaultNetworkAclsArgs
    A network_acls block as defined below.
    PublicNetworkAccessEnabled bool
    Whether public network access is allowed for this Key Vault. Defaults to true.
    PurgeProtectionEnabled bool

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    ResourceGroupName string
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    SkuName string
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    SoftDeleteRetentionDays int

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    Tags map[string]string
    A mapping of tags to assign to the resource.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    VaultUri string
    The URI of the Key Vault, used for performing operations on keys and secrets.
    accessPolicies List<KeyVaultAccessPolicy>

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    contacts List<KeyVaultContact>

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    enableRbacAuthorization Boolean
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    enabledForDeployment Boolean
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    enabledForDiskEncryption Boolean
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    enabledForTemplateDeployment Boolean
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    location String
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    name String
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    networkAcls KeyVaultNetworkAcls
    A network_acls block as defined below.
    publicNetworkAccessEnabled Boolean
    Whether public network access is allowed for this Key Vault. Defaults to true.
    purgeProtectionEnabled Boolean

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    resourceGroupName String
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    skuName String
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    softDeleteRetentionDays Integer

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    tags Map<String,String>
    A mapping of tags to assign to the resource.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    vaultUri String
    The URI of the Key Vault, used for performing operations on keys and secrets.
    accessPolicies KeyVaultAccessPolicy[]

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    contacts KeyVaultContact[]

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    enableRbacAuthorization boolean
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    enabledForDeployment boolean
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    enabledForDiskEncryption boolean
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    enabledForTemplateDeployment boolean
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    location string
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    name string
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    networkAcls KeyVaultNetworkAcls
    A network_acls block as defined below.
    publicNetworkAccessEnabled boolean
    Whether public network access is allowed for this Key Vault. Defaults to true.
    purgeProtectionEnabled boolean

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    resourceGroupName string
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    skuName string
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    softDeleteRetentionDays number

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    tags {[key: string]: string}
    A mapping of tags to assign to the resource.
    tenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    vaultUri string
    The URI of the Key Vault, used for performing operations on keys and secrets.
    access_policies Sequence[KeyVaultAccessPolicyArgs]

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    contacts Sequence[KeyVaultContactArgs]

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    enable_rbac_authorization bool
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    enabled_for_deployment bool
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    enabled_for_disk_encryption bool
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    enabled_for_template_deployment bool
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    location str
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    name str
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    network_acls KeyVaultNetworkAclsArgs
    A network_acls block as defined below.
    public_network_access_enabled bool
    Whether public network access is allowed for this Key Vault. Defaults to true.
    purge_protection_enabled bool

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    resource_group_name str
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    sku_name str
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    soft_delete_retention_days int

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    tags Mapping[str, str]
    A mapping of tags to assign to the resource.
    tenant_id str
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    vault_uri str
    The URI of the Key Vault, used for performing operations on keys and secrets.
    accessPolicies List<Property Map>

    A list of up to 1024 objects describing access policies, as described below.

    NOTE Since access_policy can be configured both inline and via the separate azure.keyvault.AccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.

    contacts List<Property Map>

    One or more contact block as defined below.

    Note: This field can only be set once user has managecontacts certificate permission.

    Note: This field can only be set when public_network_access_enabled is set to true. To manage the contact with public_network_access_enabled set to false, please use the azure.keyvault.CertificateContacts resource instead of this property, and remove this property from the configuration. Especially for existing azure.keyvault.KeyVault, this means you'll need to import the azure.keyvault.CertificateContacts manually.

    enableRbacAuthorization Boolean
    Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
    enabledForDeployment Boolean
    Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
    enabledForDiskEncryption Boolean
    Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
    enabledForTemplateDeployment Boolean
    Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
    location String
    Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
    name String
    Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
    networkAcls Property Map
    A network_acls block as defined below.
    publicNetworkAccessEnabled Boolean
    Whether public network access is allowed for this Key Vault. Defaults to true.
    purgeProtectionEnabled Boolean

    Is Purge Protection enabled for this Key Vault?

    !> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

    resourceGroupName String
    The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
    skuName String
    The Name of the SKU used for this Key Vault. Possible values are standard and premium.
    softDeleteRetentionDays Number

    The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

    Note: This field can only be configured one time and cannot be updated.

    tags Map<String>
    A mapping of tags to assign to the resource.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    vaultUri String
    The URI of the Key Vault, used for performing operations on keys and secrets.

    Supporting Types

    KeyVaultAccessPolicy, KeyVaultAccessPolicyArgs

    ObjectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
    ApplicationId string
    The object ID of an Application in Azure Active Directory.
    CertificatePermissions List<string>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    KeyPermissions List<string>
    List of key permissions. Possible values are Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    SecretPermissions List<string>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    StoragePermissions List<string>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    ObjectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
    ApplicationId string
    The object ID of an Application in Azure Active Directory.
    CertificatePermissions []string
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    KeyPermissions []string
    List of key permissions. Possible values are Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    SecretPermissions []string
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    StoragePermissions []string
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    objectId String
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
    applicationId String
    The object ID of an Application in Azure Active Directory.
    certificatePermissions List<String>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions List<String>
    List of key permissions. Possible values are Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    secretPermissions List<String>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions List<String>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    objectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    tenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
    applicationId string
    The object ID of an Application in Azure Active Directory.
    certificatePermissions string[]
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions string[]
    List of key permissions. Possible values are Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    secretPermissions string[]
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions string[]
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    object_id str
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    tenant_id str
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
    application_id str
    The object ID of an Application in Azure Active Directory.
    certificate_permissions Sequence[str]
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    key_permissions Sequence[str]
    List of key permissions. Possible values are Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    secret_permissions Sequence[str]
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storage_permissions Sequence[str]
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    objectId String
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
    applicationId String
    The object ID of an Application in Azure Active Directory.
    certificatePermissions List<String>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions List<String>
    List of key permissions. Possible values are Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    secretPermissions List<String>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions List<String>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

    KeyVaultContact, KeyVaultContactArgs

    Email string
    E-mail address of the contact.
    Name string
    Name of the contact.
    Phone string
    Phone number of the contact.
    Email string
    E-mail address of the contact.
    Name string
    Name of the contact.
    Phone string
    Phone number of the contact.
    email String
    E-mail address of the contact.
    name String
    Name of the contact.
    phone String
    Phone number of the contact.
    email string
    E-mail address of the contact.
    name string
    Name of the contact.
    phone string
    Phone number of the contact.
    email str
    E-mail address of the contact.
    name str
    Name of the contact.
    phone str
    Phone number of the contact.
    email String
    E-mail address of the contact.
    name String
    Name of the contact.
    phone String
    Phone number of the contact.

    KeyVaultNetworkAcls, KeyVaultNetworkAclsArgs

    Bypass string
    Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
    DefaultAction string
    The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
    IpRules List<string>
    One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
    VirtualNetworkSubnetIds List<string>
    One or more Subnet IDs which should be able to access this Key Vault.
    Bypass string
    Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
    DefaultAction string
    The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
    IpRules []string
    One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
    VirtualNetworkSubnetIds []string
    One or more Subnet IDs which should be able to access this Key Vault.
    bypass String
    Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
    defaultAction String
    The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
    ipRules List<String>
    One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
    virtualNetworkSubnetIds List<String>
    One or more Subnet IDs which should be able to access this Key Vault.
    bypass string
    Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
    defaultAction string
    The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
    ipRules string[]
    One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
    virtualNetworkSubnetIds string[]
    One or more Subnet IDs which should be able to access this Key Vault.
    bypass str
    Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
    default_action str
    The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
    ip_rules Sequence[str]
    One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
    virtual_network_subnet_ids Sequence[str]
    One or more Subnet IDs which should be able to access this Key Vault.
    bypass String
    Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
    defaultAction String
    The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
    ipRules List<String>
    One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
    virtualNetworkSubnetIds List<String>
    One or more Subnet IDs which should be able to access this Key Vault.

    Import

    Key Vault’s can be imported using the resource id, e.g.

    $ pulumi import azure:keyvault/keyVault:KeyVault example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1
    

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi